Dr. Richard Browne:

Those are three really useful questions. I will go in reverse order. To start with the last one, first, we obviously keep a very close eye on vulnerabilities, risks and issues as they arise, looking outwards. It is not merely that people come to us to tell us they have a problem. We look at what systems and processes people are using and actively seek to determine if there are risks in advance. That allows us, by whatever means, either by picking up the phone or going and sitting in someone's office, to tell people that they have a problem. There are always going to be risks out there and part of our role, and our evolving role, particularly in the next couple of months, will be to manage that risk in a much more coherent fashion. We are limited now by legislation, particularly in regard to how we share some of that information, so that is one challenge.

To answer the question specifically, if we had a particular risk or a particular challenge, we would have moved to address it as quickly as we could. Right now, there is nothing that would worry us to that level. There are always risks and there will always be incidents. It is how we move through that process that really counts.

The procurement one is a really important question. I wish we were a week later because we are about to publish something on procurement in the next couple of days. The nature of supply chain risks and how organisations of any scale, public, private or otherwise, manage procurement and supply chain are becoming increasingly important. Anybody who has watched developments in cybersecurity will have seen things like the SolarWinds attack a couple of years ago, which had profound implications for the United States Government, and will also have seen other supply chain attacks in other jurisdictions, including one last week on a supplier to the energy industry. These are really significant challenges, as well as the more passive issues when you buy infrastructure that is not suited or services that do not do quite what they said they would. These are entirely serious questions.

We are about to publish a piece of guidance for public sector bodies on procurement, particularly around procuring services, for example, how do you contract for and procure services that will ensure you limit your risk associated with that service provision. The mid-term review, which we publish in the next couple of weeks, will also have further measures, including a lot of further measures on supply chain security, which is one of those very challenging issues for us. One of the new teams we hope to establish in the next couple of months is on exactly this question, so it is a fundamental one for all of us.

It is also, by the way, international in nature. Supply chains are global and people buy from all over the world, as you would hope and expect. It is also a challenge that everybody in Europe and globally is wrestling with. It ranges from bad actors and from poorly aligned and poorly configured devices and equipment to cloud computing services, so it is a vast challenge. That is the second question.